[Opendnssec-user] Is split horizon DNS possible?
Casper Gielen
c.gielen at uvt.nl
Thu Jul 5 11:53:25 UTC 2012
> On 04-07-12 16:39, Casper Gielen wrote:
>
> Oh, that is quite a show-stopper. Can anybody confirm that this is not possible?
>
> Does anybody have an idea for a workaround on how to use OpenDNSSEC in a scenario with split horizon DNS?
Confirmed, OpenDNSSEC is not compatible with split-dns.
ODS uses the name of the zone as an identifier. Two zones with the same
name are not possible. I've not found a work-around other then running
two copies of ODS.
However, realistically speaking, split-dns with dnssec is only of
limited utillity. Split-dns is typically used to serve a different zone
to 'internal' users that are on the same network as the DNS-server. Most
often there is no seperate resolver involved. Even if there is a
seperate resolver, the traffic between the client and the resolver is
not secured.
My own reason for wanting to use split-dns in combination with DNSSEC is
to keep my system simple. I don't want to treat the internal and
external zones seperatly. I don't care about signing the internal zone,
I just don't like making exceptions.
I've been told that ODS2 will contain support for split-dns and for
unsigned zones.
--
Casper Gielen <cgielen at uvt.nl> | LIS UNIX
PGP fingerprint = 16BD 2C9F 8156 C242 F981 63B8 2214 083C F80E 4AF7
Universiteit van Tilburg | Postbus 90153, 5000 LE
Warandelaan 2 | Telefoon 013 466 4100 | G 236 | http://www.uvt.nl
More information about the Opendnssec-user
mailing list